Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Teleport support #24

Merged
merged 1 commit into from
Nov 10, 2023
Merged

Add Teleport support #24

merged 1 commit into from
Nov 10, 2023

Conversation

nprokopic
Copy link
Contributor

@nprokopic nprokopic commented Nov 9, 2023
edited
Loading

What does this PR do?

This PR adds Teleport support that was originally added in cluster-aws here giantswarm/cluster-aws#334.

What is the effect of this change to users?

Teleport can be optionally enabled.

How does it look like?

cluster chart Helm values to enable Teleport:

internal:
  teleport:
    enabled: true

Any background context you can provide?

What is needed from the reviewers?

Check if the Teleport has been ported properly from cluster-aws.

Do the docs need to be updated?

We don't yet have proper docs for the cluster chart.

Should this change be mentioned in the release notes?

We have yet to write proper release notes for the cluster chart. For now it's just about porting stuff over from cluster-aws, so we will add a summary before the first release.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 9, 2023

() rendered manifest diff 
/spec/ignition/containerLinuxConfig/additionalConfig  (KubeadmConfig/org-giantswarm/awesome-def00)
  ± value change
    - systemd:
        units:      
        - name: kubeadm.service
          dropins:
          - name: 10-flatcar.conf
            contents: |
              [Unit]
              # kubeadm must run after coreos-metadata populated /run/metadata directory.
              Requires=coreos-metadata.service
              After=coreos-metadata.service
              [Service]
              # Ensure kubeadm service has access to kubeadm binary in /opt/bin on Flatcar.
              Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/bin
              # To make metadata environment variables available for pre-kubeadm commands.
              EnvironmentFile=/run/metadata/*
        - name: example1.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2.conf
            contents: |
              # Multi-line
              # contents goes here
        - name: example1-workers.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2-workers.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1-workers.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2-workers.conf
            contents: |
              # Multi-line
              # contents goes here
      storage:
        directories:      
        - path: /var/lib/kubelet/temporary/stuff
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
        - path: /var/lib/kubelet
          mode: 750
        - path: /var/lib/kubelet/temporary/stuff/workers
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
      
  
    + systemd:
        units:      
        - name: teleport.service
          enabled: true
          contents: |
            [Unit]
            Description=Teleport Service
            After=network.target
        
            [Service]
            Type=simple
            Restart=on-failure
            ExecStart=/opt/bin/teleport start --roles=node --config=/etc/teleport.yaml --pid-file=/run/teleport.pid
            ExecReload=/bin/kill -HUP $MAINPID
            PIDFile=/run/teleport.pid
            LimitNOFILE=524288
        
            [Install]
            WantedBy=multi-user.target      
        - name: kubeadm.service
          dropins:
          - name: 10-flatcar.conf
            contents: |
              [Unit]
              # kubeadm must run after coreos-metadata populated /run/metadata directory.
              Requires=coreos-metadata.service
              After=coreos-metadata.service
              [Service]
              # Ensure kubeadm service has access to kubeadm binary in /opt/bin on Flatcar.
              Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/bin
              # To make metadata environment variables available for pre-kubeadm commands.
              EnvironmentFile=/run/metadata/*
        - name: example1.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2.conf
            contents: |
              # Multi-line
              # contents goes here
        - name: example1-workers.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2-workers.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1-workers.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2-workers.conf
            contents: |
              # Multi-line
              # contents goes here
      storage:
        directories:      
        - path: /var/lib/kubelet/temporary/stuff
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
        - path: /var/lib/kubelet
          mode: 750
        - path: /var/lib/kubelet/temporary/stuff/workers
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
      
  
  

/spec/files  (KubeadmConfig/org-giantswarm/awesome-def00)
  + four list entries added:
    - path: /etc/systemd/system/teleport.service.d/http-proxy.conf
      permissions: 0644
      encoding: base64
      content: W1NlcnZpY2VdCkVudmlyb25tZW50PSJIVFRQX1BST1hZPWh0dHA6Ly9wcm94eS5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iSFRUUFNfUFJPWFk9aHR0cHM6Ly9wcm94eS5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iTk9fUFJPWFk9MTI3LjAuMC4xLGxvY2FsaG9zdCxzdmMsbG9jYWwsYXdlc29tZS5leGFtcGxlLmdpZ2FudGljLmlvLDE3Mi4zMS4wLjAvMTYsMTAwLjY0LjAuMC8xMixlbGIuYW1hem9uYXdzLmNvbSwxNjkuMjU0LjE2OS4yNTQsc29tZS5ub3Byb3h5LmFkZHJlc3MuZ2lhbnRzd2FybS5pbyxhbm90aGVyLm5vcHJveHkuYWRkcmVzcy5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iaHR0cF9wcm94eT1odHRwOi8vcHJveHkuZ2lhbnRzd2FybS5pbyIKRW52aXJvbm1lbnQ9Imh0dHBzX3Byb3h5PWh0dHBzOi8vcHJveHkuZ2lhbnRzd2FybS5pbyIKRW52aXJvbm1lbnQ9Im5vX3Byb3h5PTEyNy4wLjAuMSxsb2NhbGhvc3Qsc3ZjLGxvY2FsLGF3ZXNvbWUuZXhhbXBsZS5naWdhbnRpYy5pbywxNzIuMzEuMC4wLzE2LDEwMC42NC4wLjAvMTIsZWxiLmFtYXpvbmF3cy5jb20sMTY5LjI1NC4xNjkuMjU0LHNvbWUubm9wcm94eS5hZGRyZXNzLmdpYW50c3dhcm0uaW8sYW5vdGhlci5ub3Byb3h5LmFkZHJlc3MuZ2lhbnRzd2FybS5pbyIK
    - path: /etc/teleport-join-token
      permissions: 0644
      contentFrom:
        secret:
          name: awesome-teleport-join-token
          key: joinToken
    - path: /opt/teleport-node-role.sh
      permissions: 0755
      encoding: base64
      content: IyEvYmluL2Jhc2gKCmlmIHN5c3RlbWN0bCBpcy1hY3RpdmUgLXEga3ViZWxldC5zZXJ2aWNlOyB0aGVuCiAgICBpZiBbIC1lICIvZXRjL2t1YmVybmV0ZXMvbWFuaWZlc3RzL2t1YmUtYXBpc2VydmVyLnlhbWwiIF07IHRoZW4KICAgICAgICBlY2hvICJjb250cm9sLXBsYW5lIgogICAgZWxzZQogICAgICAgIGVjaG8gIndvcmtlciIKICAgIGZpCmVsc2UKICAgIGVjaG8gIiIKZmkK
    - path: /etc/teleport.yaml
      permissions: 0644
      encoding: base64
      content: dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiAvZXRjL3RlbGVwb3J0LWpvaW4tdG9rZW4KICAgIG1ldGhvZDogdG9rZW4KICBwcm94eV9zZXJ2ZXI6IHRlc3QudGVsZXBvcnQuZ2lhbnRzd2FybS5pbzo0NDMKICBsb2c6CiAgICBvdXRwdXQ6IHN0ZGVycgphdXRoX3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgpzc2hfc2VydmljZToKICBlbmFibGVkOiAieWVzIgogIGNvbW1hbmRzOgogIC0gbmFtZTogbm9kZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAyNGgwbTBzCiAgLSBuYW1lOiBhcmNoCiAgICBjb21tYW5kOiBbdW5hbWUsIC1tXQogICAgcGVyaW9kOiAyNGgwbTBzCiAgLSBuYW1lOiByb2xlCiAgICBjb21tYW5kOiBbL29wdC90ZWxlcG9ydC1ub2RlLXJvbGUuc2hdCiAgICBwZXJpb2Q6IDFtMHMKICBsYWJlbHM6CiAgICBtYzogZ2lhbnRtYwogICAgY2x1c3RlcjogYXdlc29tZQogICAgYmFzZURvbWFpbjogZXhhbXBsZS5naWdhbnRpYy5pbwpwcm94eV9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJubyIK
    
  

/spec/ignition/containerLinuxConfig/additionalConfig  (KubeadmConfig/org-giantswarm/awesome-rt5y7)
  ± value change
    - systemd:
        units:      
        - name: kubeadm.service
          dropins:
          - name: 10-flatcar.conf
            contents: |
              [Unit]
              # kubeadm must run after coreos-metadata populated /run/metadata directory.
              Requires=coreos-metadata.service
              After=coreos-metadata.service
              [Service]
              # Ensure kubeadm service has access to kubeadm binary in /opt/bin on Flatcar.
              Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/bin
              # To make metadata environment variables available for pre-kubeadm commands.
              EnvironmentFile=/run/metadata/*
        - name: example1.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2.conf
            contents: |
              # Multi-line
              # contents goes here
        - name: example1-workers.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2-workers.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1-workers.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2-workers.conf
            contents: |
              # Multi-line
              # contents goes here
      storage:
        directories:      
        - path: /var/lib/kubelet/temporary/stuff
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
        - path: /var/lib/kubelet
          mode: 750
        - path: /var/lib/kubelet/temporary/stuff/workers
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
      
  
    + systemd:
        units:      
        - name: teleport.service
          enabled: true
          contents: |
            [Unit]
            Description=Teleport Service
            After=network.target
        
            [Service]
            Type=simple
            Restart=on-failure
            ExecStart=/opt/bin/teleport start --roles=node --config=/etc/teleport.yaml --pid-file=/run/teleport.pid
            ExecReload=/bin/kill -HUP $MAINPID
            PIDFile=/run/teleport.pid
            LimitNOFILE=524288
        
            [Install]
            WantedBy=multi-user.target      
        - name: kubeadm.service
          dropins:
          - name: 10-flatcar.conf
            contents: |
              [Unit]
              # kubeadm must run after coreos-metadata populated /run/metadata directory.
              Requires=coreos-metadata.service
              After=coreos-metadata.service
              [Service]
              # Ensure kubeadm service has access to kubeadm binary in /opt/bin on Flatcar.
              Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/bin
              # To make metadata environment variables available for pre-kubeadm commands.
              EnvironmentFile=/run/metadata/*
        - name: example1.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2.conf
            contents: |
              # Multi-line
              # contents goes here
        - name: example1-workers.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2-workers.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1-workers.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2-workers.conf
            contents: |
              # Multi-line
              # contents goes here
      storage:
        directories:      
        - path: /var/lib/kubelet/temporary/stuff
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
        - path: /var/lib/kubelet
          mode: 750
        - path: /var/lib/kubelet/temporary/stuff/workers
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
      
  
  

/spec/files  (KubeadmConfig/org-giantswarm/awesome-rt5y7)
  + four list entries added:
    - path: /etc/systemd/system/teleport.service.d/http-proxy.conf
      permissions: 0644
      encoding: base64
      content: W1NlcnZpY2VdCkVudmlyb25tZW50PSJIVFRQX1BST1hZPWh0dHA6Ly9wcm94eS5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iSFRUUFNfUFJPWFk9aHR0cHM6Ly9wcm94eS5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iTk9fUFJPWFk9MTI3LjAuMC4xLGxvY2FsaG9zdCxzdmMsbG9jYWwsYXdlc29tZS5leGFtcGxlLmdpZ2FudGljLmlvLDE3Mi4zMS4wLjAvMTYsMTAwLjY0LjAuMC8xMixlbGIuYW1hem9uYXdzLmNvbSwxNjkuMjU0LjE2OS4yNTQsc29tZS5ub3Byb3h5LmFkZHJlc3MuZ2lhbnRzd2FybS5pbyxhbm90aGVyLm5vcHJveHkuYWRkcmVzcy5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iaHR0cF9wcm94eT1odHRwOi8vcHJveHkuZ2lhbnRzd2FybS5pbyIKRW52aXJvbm1lbnQ9Imh0dHBzX3Byb3h5PWh0dHBzOi8vcHJveHkuZ2lhbnRzd2FybS5pbyIKRW52aXJvbm1lbnQ9Im5vX3Byb3h5PTEyNy4wLjAuMSxsb2NhbGhvc3Qsc3ZjLGxvY2FsLGF3ZXNvbWUuZXhhbXBsZS5naWdhbnRpYy5pbywxNzIuMzEuMC4wLzE2LDEwMC42NC4wLjAvMTIsZWxiLmFtYXpvbmF3cy5jb20sMTY5LjI1NC4xNjkuMjU0LHNvbWUubm9wcm94eS5hZGRyZXNzLmdpYW50c3dhcm0uaW8sYW5vdGhlci5ub3Byb3h5LmFkZHJlc3MuZ2lhbnRzd2FybS5pbyIK
    - path: /etc/teleport-join-token
      permissions: 0644
      contentFrom:
        secret:
          name: awesome-teleport-join-token
          key: joinToken
    - path: /opt/teleport-node-role.sh
      permissions: 0755
      encoding: base64
      content: IyEvYmluL2Jhc2gKCmlmIHN5c3RlbWN0bCBpcy1hY3RpdmUgLXEga3ViZWxldC5zZXJ2aWNlOyB0aGVuCiAgICBpZiBbIC1lICIvZXRjL2t1YmVybmV0ZXMvbWFuaWZlc3RzL2t1YmUtYXBpc2VydmVyLnlhbWwiIF07IHRoZW4KICAgICAgICBlY2hvICJjb250cm9sLXBsYW5lIgogICAgZWxzZQogICAgICAgIGVjaG8gIndvcmtlciIKICAgIGZpCmVsc2UKICAgIGVjaG8gIiIKZmkK
    - path: /etc/teleport.yaml
      permissions: 0644
      encoding: base64
      content: dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiAvZXRjL3RlbGVwb3J0LWpvaW4tdG9rZW4KICAgIG1ldGhvZDogdG9rZW4KICBwcm94eV9zZXJ2ZXI6IHRlc3QudGVsZXBvcnQuZ2lhbnRzd2FybS5pbzo0NDMKICBsb2c6CiAgICBvdXRwdXQ6IHN0ZGVycgphdXRoX3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgpzc2hfc2VydmljZToKICBlbmFibGVkOiAieWVzIgogIGNvbW1hbmRzOgogIC0gbmFtZTogbm9kZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAyNGgwbTBzCiAgLSBuYW1lOiBhcmNoCiAgICBjb21tYW5kOiBbdW5hbWUsIC1tXQogICAgcGVyaW9kOiAyNGgwbTBzCiAgLSBuYW1lOiByb2xlCiAgICBjb21tYW5kOiBbL29wdC90ZWxlcG9ydC1ub2RlLXJvbGUuc2hdCiAgICBwZXJpb2Q6IDFtMHMKICBsYWJlbHM6CiAgICBtYzogZ2lhbnRtYwogICAgY2x1c3RlcjogYXdlc29tZQogICAgYmFzZURvbWFpbjogZXhhbXBsZS5naWdhbnRpYy5pbwpwcm94eV9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJubyIK
    
  

/spec/kubeadmConfigSpec/ignition/containerLinuxConfig/additionalConfig  (KubeadmControlPlane/org-giantswarm/awesome)
  ± value change
    - systemd:
        units:      
        - name: kubeadm.service
          dropins:
          - name: 10-flatcar.conf
            contents: |
              [Unit]
              # kubeadm must run after coreos-metadata populated /run/metadata directory.
              Requires=coreos-metadata.service
              After=coreos-metadata.service
              [Service]
              # Ensure kubeadm service has access to kubeadm binary in /opt/bin on Flatcar.
              Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/bin
              # To make metadata environment variables available for pre-kubeadm commands.
              EnvironmentFile=/run/metadata/*
        - name: example1.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2.conf
            contents: |
              # Multi-line
              # contents goes here
        - name: example1-control-plane.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2-control-plane.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1-control-plane.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2-control-plane.conf
            contents: |
              # Multi-line
              # contents goes here
      storage:
        filesystems:      
        - name: etcd
          mount:
            device: /dev/xvdc
            format: xfs
            label: etcd
        - name: containerd
          mount:
            device: /dev/xvdd
            format: xfs
            label: containerd
        - name: kubelet
          mount:
            device: /dev/xvde
            format: xfs
            label: kubelet
        directories:      
        - path: /var/lib/kubelet/temporary/stuff
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
        - path: /var/lib/kubelet
          mode: 750
        - path: /var/lib/kubelet/temporary/stuff/control-plane
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
      
  
    + systemd:
        units:      
        - name: teleport.service
          enabled: true
          contents: |
            [Unit]
            Description=Teleport Service
            After=network.target
        
            [Service]
            Type=simple
            Restart=on-failure
            ExecStart=/opt/bin/teleport start --roles=node --config=/etc/teleport.yaml --pid-file=/run/teleport.pid
            ExecReload=/bin/kill -HUP $MAINPID
            PIDFile=/run/teleport.pid
            LimitNOFILE=524288
        
            [Install]
            WantedBy=multi-user.target      
        - name: kubeadm.service
          dropins:
          - name: 10-flatcar.conf
            contents: |
              [Unit]
              # kubeadm must run after coreos-metadata populated /run/metadata directory.
              Requires=coreos-metadata.service
              After=coreos-metadata.service
              [Service]
              # Ensure kubeadm service has access to kubeadm binary in /opt/bin on Flatcar.
              Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/bin
              # To make metadata environment variables available for pre-kubeadm commands.
              EnvironmentFile=/run/metadata/*
        - name: example1.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2.conf
            contents: |
              # Multi-line
              # contents goes here
        - name: example1-control-plane.service
          enabled: false
          mask: false
          contents: |
            # Contents goes here
          dropins:
          - name: hello.conf
            contents: |
              # Contents goes here
        - name: example2-control-plane.service
          enabled: false
          mask: false
          contents: |
            # Multi-line
            # contents goes here
          dropins:
          - name: hello1-control-plane.conf
            contents: |
              # Multi-line
              # contents goes here
          - name: hello2-control-plane.conf
            contents: |
              # Multi-line
              # contents goes here
      storage:
        filesystems:      
        - name: etcd
          mount:
            device: /dev/xvdc
            format: xfs
            label: etcd
        - name: containerd
          mount:
            device: /dev/xvdd
            format: xfs
            label: containerd
        - name: kubelet
          mount:
            device: /dev/xvde
            format: xfs
            label: kubelet
        directories:      
        - path: /var/lib/kubelet/temporary/stuff
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
        - path: /var/lib/kubelet
          mode: 750
        - path: /var/lib/kubelet/temporary/stuff/control-plane
          overwrite: true
          filesystem: kubelet
          mode: 750
          user:
            id: 12345
            name: giantswarm
          group:
            id: 23456
            name: giantswarm
      
  
  

/spec/kubeadmConfigSpec/files  (KubeadmControlPlane/org-giantswarm/awesome)
  + four list entries added:
    - path: /etc/systemd/system/teleport.service.d/http-proxy.conf
      permissions: 0644
      encoding: base64
      content: W1NlcnZpY2VdCkVudmlyb25tZW50PSJIVFRQX1BST1hZPWh0dHA6Ly9wcm94eS5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iSFRUUFNfUFJPWFk9aHR0cHM6Ly9wcm94eS5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iTk9fUFJPWFk9MTI3LjAuMC4xLGxvY2FsaG9zdCxzdmMsbG9jYWwsYXdlc29tZS5leGFtcGxlLmdpZ2FudGljLmlvLDE3Mi4zMS4wLjAvMTYsMTAwLjY0LjAuMC8xMixlbGIuYW1hem9uYXdzLmNvbSwxNjkuMjU0LjE2OS4yNTQsc29tZS5ub3Byb3h5LmFkZHJlc3MuZ2lhbnRzd2FybS5pbyxhbm90aGVyLm5vcHJveHkuYWRkcmVzcy5naWFudHN3YXJtLmlvIgpFbnZpcm9ubWVudD0iaHR0cF9wcm94eT1odHRwOi8vcHJveHkuZ2lhbnRzd2FybS5pbyIKRW52aXJvbm1lbnQ9Imh0dHBzX3Byb3h5PWh0dHBzOi8vcHJveHkuZ2lhbnRzd2FybS5pbyIKRW52aXJvbm1lbnQ9Im5vX3Byb3h5PTEyNy4wLjAuMSxsb2NhbGhvc3Qsc3ZjLGxvY2FsLGF3ZXNvbWUuZXhhbXBsZS5naWdhbnRpYy5pbywxNzIuMzEuMC4wLzE2LDEwMC42NC4wLjAvMTIsZWxiLmFtYXpvbmF3cy5jb20sMTY5LjI1NC4xNjkuMjU0LHNvbWUubm9wcm94eS5hZGRyZXNzLmdpYW50c3dhcm0uaW8sYW5vdGhlci5ub3Byb3h5LmFkZHJlc3MuZ2lhbnRzd2FybS5pbyIK
    - path: /etc/teleport-join-token
      permissions: 0644
      contentFrom:
        secret:
          name: awesome-teleport-join-token
          key: joinToken
    - path: /opt/teleport-node-role.sh
      permissions: 0755
      encoding: base64
      content: IyEvYmluL2Jhc2gKCmlmIHN5c3RlbWN0bCBpcy1hY3RpdmUgLXEga3ViZWxldC5zZXJ2aWNlOyB0aGVuCiAgICBpZiBbIC1lICIvZXRjL2t1YmVybmV0ZXMvbWFuaWZlc3RzL2t1YmUtYXBpc2VydmVyLnlhbWwiIF07IHRoZW4KICAgICAgICBlY2hvICJjb250cm9sLXBsYW5lIgogICAgZWxzZQogICAgICAgIGVjaG8gIndvcmtlciIKICAgIGZpCmVsc2UKICAgIGVjaG8gIiIKZmkK
    - path: /etc/teleport.yaml
      permissions: 0644
      encoding: base64
      content: dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiAvZXRjL3RlbGVwb3J0LWpvaW4tdG9rZW4KICAgIG1ldGhvZDogdG9rZW4KICBwcm94eV9zZXJ2ZXI6IHRlc3QudGVsZXBvcnQuZ2lhbnRzd2FybS5pbzo0NDMKICBsb2c6CiAgICBvdXRwdXQ6IHN0ZGVycgphdXRoX3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgpzc2hfc2VydmljZToKICBlbmFibGVkOiAieWVzIgogIGNvbW1hbmRzOgogIC0gbmFtZTogbm9kZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAyNGgwbTBzCiAgLSBuYW1lOiBhcmNoCiAgICBjb21tYW5kOiBbdW5hbWUsIC1tXQogICAgcGVyaW9kOiAyNGgwbTBzCiAgLSBuYW1lOiByb2xlCiAgICBjb21tYW5kOiBbL29wdC90ZWxlcG9ydC1ub2RlLXJvbGUuc2hdCiAgICBwZXJpb2Q6IDFtMHMKICBsYWJlbHM6CiAgICBtYzogZ2lhbnRtYwogICAgY2x1c3RlcjogYXdlc29tZQogICAgYmFzZURvbWFpbjogZXhhbXBsZS5naWdhbnRpYy5pbwpwcm94eV9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJubyIK

@nprokopic
Copy link
Contributor Author

nprokopic commented Nov 9, 2023
edited
Loading

For some reason the above diff for Ignition shows all systemd units as removed, and those same systemd units added + Teleport systemd unit, while the only diff is Teleport systemd unit being added. Files diff looks fine.

@nprokopic
Copy link
Contributor Author

Known issues with schema linting.

@nprokopic
Copy link
Contributor Author

Restart=on-failure should also be added to audit-rules.service systemd unit like this:

- name: audit-rules.service
  enabled: true
  dropins:
  - name: 10-wait-for-containerd.conf
    contents: |
      [Service]
      ExecStartPre=/bin/bash -c "while [ ! -f /etc/audit/rules.d/containerd.rules ]; do echo 'Waiting for /etc/audit/rules.d/containerd.rules to be written' && sleep 1; done"
      Restart=on-failure

But that will be added in the cluster chart's Helm values when cluster chart is used in cluster-aws because almost all systemd units will be initially specified in every cluster- app, until we figure out which are really common across all providers. (Teleport systemd unit is the first one that is included directly in the cluster chart, if Teleport is enabled.)

@nprokopic nprokopic marked this pull request as ready for review November 9, 2023 15:42
@nprokopic nprokopic requested a review from a team as a code owner November 9, 2023 15:42
@nprokopic nprokopic requested a review from tuladhar November 9, 2023 15:42
tuladhar
tuladhar approved these changes Nov 9, 2023
View reviewed changes
Copy link
Contributor

@tuladhar tuladhar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you!

@nprokopic nprokopic merged commit 47089f2 into main Nov 10, 2023
9 of 11 checks passed
@nprokopic nprokopic deleted the add-teleport-support branch November 10, 2023 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tuladhar tuladhar tuladhar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nprokopic @tuladhar